CVE-2019-11842
Description
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Matrix Sydent and Synapse mishandle random number generation, enabling attackers to predict authentication tokens or IDs.
Vulnerability
Description CVE-2019-11842 affects Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1 due to improper random number generation. This weakness makes it possible for attackers to predict Sydent authentication tokens or Synapse random IDs [1]. The root cause is the use of a predictable random number generator, which undermines the security of tokens that rely on unpredictability [2].
Exploitation
An attacker can exploit this vulnerability without any special privileges or network position, as the prediction requires only knowledge of the flawed generation algorithm or observation of previous outputs. The vulnerability is remotely exploitable, and no authentication is needed to begin the prediction attempt [2].
Impact
Successful prediction of authentication tokens could allow an attacker to impersonate legitimate users or gain unauthorized access to Matrix services. For Synapse, predicting random IDs could lead to information disclosure or session hijacking [3].
Mitigation
The vulnerability is fixed in Sydent 1.0.3 and Synapse 0.99.3.1. Users should update their installations immediately. No workarounds are available [1][2][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-sydentPyPI | < 1.0.3 | 1.0.3 |
matrix-synapsePyPI | < 0.99.3.1 | 0.99.3.1 |
Affected products
3- Matrix/Sydentdescription
- ghsa-coords2 versions
< 1.0.3+ 1 more
- (no CPE)range: < 1.0.3
- (no CPE)range: < 0.99.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gwf7-vfjf-wf6xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11842ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2019-185.yamlghsaWEB
- matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-aghsaWEB
- matrix.org/blog/2019/05/03/security-updates-sydent-1-0-3-synapse-0-99-3-1-and-riot-android-0-9-0-0-8-99-0-8-28-a/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.